Routers in the news, pretty much means routers getting exploited by bad guys to do bad things. I am still waiting for a good news story about routers. The flaws that are exploited are documented on the Bugs page. Articles that offer security advice are listed on the Other router security advice page.

2018

NOVEMBER 2018

Let us not forget bad D-Link security

Uncle Sam, D-Link told to battle in court over claims of shoddy device security: Judge snubs summary judgment bidsby Richard Chirgwin of The Register November 6, 2018
The Federal Trade Commission (FTC) filed a lawsuit against D-Link early in 2017 complaining of assorted bad security practices, including hard-coded passwords, command-injection vulnerabilities, misplaced security keys, and plaintext password storage. They claim there was misrepresentation because D-Link touted the advanced security of its products. The legal battle is going to trial on January 14, 2019.

A large router botnet thanks to a 5 year old bug

IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spamby Catalin Cimpanu for ZDNet November 7, 2018
The past two months have seen the rise of the new BCMUPnP_Hunter botnet composed of roughly 100,000 home routers.
Analyzed by the Netlab team at Qihoo 360, the botnet exploits a five-year-old bug in the Broadcom UPnP SDK which is embedded in thousands of router models from multiple vendors. The vulnerability is as bad as bad gets, a remote un-authenticated attacker can execute malicious code the router. The botnet scans for routers with an exposed UPnP interface on port 5431. The botnet is sophisticated and newly programmed by someone quite good at their craft. Infected routers both send SPAM and function as proxy nodes to hide the location of the bad guys.

BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers by Hui Wang and RootKiter of 360Netlab. November 7, 2018. This is the original source of the story. It cites 116 different type of infected devices they have observed so far, including routers from D-Link, Verizon Actiontec, Linksys, TP-LINK , CenturyLink Technicolor and ZyXEL. They also note that Broadcom UPnP is also used by Asus and Netgear.

The camera makes fun of the SMS billby CERT
Orange Polska October 31, 2018
Assorted devices, including routers, that use SIM cards for Internet access were hacked to send SMS messages to foreign countries, earning the bad guys money from the SMS termination. Some hacked devices were: D-Link DWR-921 4G LTE routers, Teltonika RUT240 industrial routers, Dahua CCTV devices (disputed) and Digi modems. It is thought that the devices were vulnerable because of default passwords. The D-Link DWR-921 router also has a known Directory Traversal bug that lets attackers download a configuration file with a unencrypted passwords. This router will not be fixed by D-Link and it suggested to throw them away. Both articles are in Polish but Chrome translation is good enough to get the gist.

A mysterious grey-hat is patching people's outdated MikroTik routersby Catalin Cimpanu of ZDNet October 12, 2018
In fairness to MikroTik they have been patching reported bugs quickly. However, its no surprise, that their customers do not install the patches. A lone person has taken pity on unpatched MikroTik routers and is patching them so they can not be abused by bad guys. Using the name Alexey, this person has bragged about this on a Russian blogging platform. He adds firewall rules that block access to the router. On this site, the Test Your Router page links to many online services that test your router for open TCP/IP ports. The same for the Shodan page. The worst bug (CVE-2018-14847) was patched in April 2018. It lets a bad guy download the user database file. Once decrypted, this gives bad guys access to the username/password to log in remotely. Alexey claims to have patched over 100,000 MikroTik routers. To put this in perspective, there are over two million MikroTik routers in use and over 420,000 show signs of infection. Bad guys who are installing malware on these routers are not closing WAN side ports, so they can still be modfiied.

Xiongmai video surveillance devices are extremely insecure

Using a router to defend against Xiongmai video devicesby Michael Horowitz (me) October 10, 2018
OK, the Xiongmai devices in question are not routers. But, they are so terribly insecure that security firm SEC Consult recommends throwing them in the trash. In contrast, I suggest a number of ways to isolate them while continuing to use them despite their many security issues. My suggestions can apply not just to Xiongmai devices but to all insecure IoT devices.

October 7, 2018: RouterOS from MikroTik was patched with the latest bug fixes at the end of August and in September (they maintain different branches of their firmware). Four bugs that were just patched were found by Jacob Baines of Tenable Research. And, a bug that was patched back in April 2018 was much more serious than previously believed. Only 30% of MikroTik devices have been patched. Details are on the Bugs page. New attacks will surely follow.

70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNSby Netlab 360 September 29, 2018
Starting September 20, 2018, Netlab noticed an existing malware campaign ramp up its attacks with new scanners. Radware blogged about this campaign back in August (2018), but Netlab says it goes back even further. They call it GhostDNS and it now attacks more than 70 different routers. They have seen it infect over 100,000 routers, so far. Malicious DNS servers are used to send victims to fake/scam versions of websites. Rather than using a similar domain name (citibank.edu instead of citibank.com) users deal with the real domain name but are directed to a scam site nonetheless. They have observed GhostDNS targeting at least 52 domains so far, including major banks, telcos, ISPs, media outlets, Avira and Netflix. The GhostDNS malware campaign consists of: Shell DNSChanger, Js DNSChanger, PyPhp DNSChanger, a Phishing Web System, a Web Admin System and a Rogue DNS System. There are over 100 attack scripts. Routers are attacked from both sides, from the WAN and from the LAN. 88% of infected routers are in Brazil. Some companies making vulnerable routers are D-Link, Tenda, TP-Link, Roteador and (of course) MikroTik. The full list of known vulnerable routers is in the blog posting. Netlab 360 has been working to take components of GhostDNS off-line. The best defense against all types of DNS attacks is to be familiar with and look for indications that a website uses Extended Validation.

Torii botnet - Not another Mirai variantby the
Avast Threat Intelligence Team September 27, 2018
The Telnet honeypot of security researcher Vess On Security was attacked by a new botnet coming from Tor exit nodes. Hard to imagine that devices still leave themselves exposed to Telnet. The malware contains unprecedented levels of sophistication, yet it has has no obvious purpose. It can exfiltrate data in quite a few different ways and supports multiple layers of encrypted communication. While it phones home on TCP port 443, this is deceptive because it does not use TLS. While most IoT malware is flushed when the device reboots, Torii uses six different methods to maintain persistence. The malware is modular in design and can infect devices running MIPS, ARM, x86, x64, PowerPC, and SuperH, among others.

Researchers find Russian VPNfilter malware was a Swiss Army hacking knifeby Sean Gallagher of Ars Technica September 26, 2018
Reminder of old news: VPNfilter had been detected on a half million routers in 54 countries. And, it is the rare malware that survives a reboot of the router.
New news: The VPNfilter router malware is worse than originally thought. New features were discovered that exploit the entire network connected to the infected router. Run for the hills. Or, better yet, run away from consumer grade routers. The newly discovered features are: inspect and redirect HTTP traffic passing through the router, SSH client, SSH server, file transfers using the SCP protocol, nmap port scanner, network reconnaissance from the hacked router, scan for Mikrotik devices, a firewall, port forwarding to an outside network, a SOCKS5 virtual private network proxy server that runs on TCP port 5380, a Reverse-TCP VPN that connects the hacked router to the bad guys over a VPN (used to both steal data and for remote command and control). Quoting: "VPNfilter was clearly built for long-term use as a network exploitation and attack platform." Keep in mind, that this is, in part, an advertisement for Talos themselves. These quotes illustrate my point: "The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries." and"The sophisticated nature of this framework further illustrates the advanced capabilities of the threat actors making use of it, as well as the need for organizations to deploy robust defensive architectures to combat threats such as VPNFilter."
Also proving my point is that the blogs from Talos are very short on defensive measures. No mention of this website, you can be sure. Just new stuff for Snort and Clam. If you don't know how to use these tools, then I am sure Talos can help. They released a program to decrypt the Winbox protocol and failed to mention that Mikrotik fixed the bugs, so all anyone has to do is install the latest firmware. They did not offer the link below to test port 5380.

You can't secure your network without securing your routers - and your users' routersby David Braue of CSO Online September 27, 2018
Quoting: "The American Consumer Institute Center for Citizen Research conducted an audit of 186 Wi-Fi routers from 14 different manufacturers, using Insignary’s Clarity application to scan the embedded firmware for unpatched security vulnerabilities. Fully 83 percent of examined routers were found to have known vulnerabilities in their code, with an average of 186 vulnerabilities per router ... the report warned that vendors' frequent usage of open-source code had left many routers exposed." The article cites a trifecta of problems: lots of new vulnerabilities being discovered, router manufacturers often-slow response in fixing these bugs and, of course, router owners who typically don't update the router firmware. Testing was done in July 2018 on the latest firmware for each router, so the real world situation is certainly worse. Only 31 routers had no bugs and they were not identified. I don't know who the American Consumer Institute is and I am always skeptical of a report without an author. There is a chance that this is a disguised press release for Clarity. That they don't mention the good routers also points to this being an ad disguised as a study. And, in the days after the study was released, they blogged about every story in the media that mentioned the study. Just what you would do if the study was really an advertisement.

Unpatched routers being used to build vast proxy army, spy on networksby Sean Gallagher of Ars Technica September 5, 2018
Researchers at Netlab 360 have discovered that thousands of MikroTik routers have been compromised by malware attacking a vulnerability first revealed April 2018. MikroTik issued a fix back in April, but more than 370,000 MikroTik devices are online and still vulnerable. Of those, more than 7,500 are actively being spied on by attackers. The spying is done by forwarding a copy of network traffic to a bad guy. This is done using the built-in packet-sniffing capabilities of MikroTik routers. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. The vast majority of the packet capture streams were being sent to an IP address in Belize. Also, 239,000 of MikroTik devices have been turned into SOCKS 4 proxies. The malicious proxy network is using the non-standard TCP port 4153. It is not clear what the proxies are being collected for, but they are continuously scanning for other vulnerable routers.

Thousands of MikroTik Routers Hijacked for Eavesdropping by
Tara Seals of Threatpost September 4, 2018. While others say the bug was fixed in April, this aticle says the flaw is a Winbox Any Directory File that MikroTik patched in early August. The article quotes Troy Mursch, researcher at Bad Packets Report, saying "We must note these are carrier-grade routers that have been compromised"

Cisco Releases 16 Security Alerts Rated Critical and Highby Ionut Ilascu of Bleeping Computer September 5, 2018
Cisco published 30 security advisories on vulnerabilities in its products. Half of the bugs are considered high or critical severity. Three are security problems with critical impact. One critical bug affects the RV-series firewalls and routers, specifically RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. The two routers and the firewall are also vulnerable to directory traversal (CVE-2018-0426), command injection (CVE-2018-0424) and information disclosure (CVE-2018-0425) bugs, all having a high severity.

New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers by Catalin Cimpanu for ZDNet September 3, 2018
A new botnet, Hakai, was first spotted in June 2018. Then, in July, it started to exploit a vulnerability in Huawei HG352 routers (CVE-2017-17215). By mid-August it was targeting more devices and vulnerabilities. Hakai now goes after three different bugs in D-Link routers, one of which involves HNAP. D-Link routers that support HNAP do not let you disable it, but D-Link is moving away from HNAP so anyone with a D-Link router should look for new firmware as it might eliminate HNAP. It also targets Realtek routers and IoT devices using a vulnerable version of the Realtek SDK where the miniigd SOAP service allows remote attackers to execute arbitrary code on the device using a malicious NewInternalClient request. The article does not offer any way of detecting if a specific IoT device is vulnerable or not. The botnet also targets Telnet looking for devices with the port open and simple or default passwords. The Hakai codebase also seems to have leaked as there are two different Hakai-based botnets, Kenjiro and Izuku, spreading online. The article says nothing about what the botnet does to the routers that it infects. It also says nothing about what an infected router might do to the rest of us.

Click this link grc.com/x/portprobe=23 to see if the Telnet port is open on the router you are currently connected to

AUGUST 2018

The NSA used hacked routers to help decrypt VPNs

NSA Cracked Open Encrypted Networks of Russian Airlines, AL Jazeera, and Other "High Potential" Targetsby Micah Lee of The Intercept August 15, 2018
The article is about VPNs, but it included a point about using compromised routers to assist in breaking VPN traffic: "In 2014, The Intercept reported on the NSA's plans, dated August 2009, to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt."The March 2014 article by Ryan Gallagher and Glenn Greenwald referred to here, said this about routers: "The NSA has specifically tailored some of its implants to infect large-scale network routers ... By compromising routers ... the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications. Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform "exploitation attacks" against data that is sent through a Virtual Private Network..." The article also pointed out that the NSA uses hacked routers to deliver malware to targeted machines.

D-Link routers in Brazil hacked to change DNS servers

In-the-wild router exploit sends unwitting users to fake banking siteby Dan Gooding of Ars Technica August 10, 2018
A flaw or flaws in D-Link gateways (a gateway is a combination modem and router) allows bad guys to remotely change the DNS server that the routers tell connected devices to use. DNS translates domain names, such as RouterSecurity.org into numeric IP addresses. All computer communication is based on numeric IP addresses. A small number of techies may hard code DNS servers into their computing devices, but the vast majority of computing devices use the DNS servers assigned to them by the router. A malicious DNS server will translate the name of a bank into the wrong IP address, one that hosts a scam version of the banking website. If a victim logs in to the scam website, the bad guys learn their banking password. According to Radware, bad guys have been using malicious DNS servers to send potential victims to scam versions of two Brazilian bank websites, Banco de Brasil and Unibanco. The web browser will display the correct banking URL while at the scam website, but the use of extended validation certificates should indicate that the displayed site is a scam. I checked. Both banks do use EV certificates so an educated user would not be fooled. Also, the browser should issue a warning about the self-signed certificate used by the scam sites. Known vulnerable D-Link devices include the DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B. Also, the Shuttle Tech ADSL Modem-Router 915 WM. These attacks were first noticed by Radware on June 8, 2018. The bugs being exploited date back to 2015 and have since been fixed. Vulnerable devices can be hacked without any interaction from the end user. In large part the bugs stem from the web interface being available to LAN side devices without authentication. Finally, Goodin claims that specifying your own DNS servers on your computing device over-rides those in the router. This is not always true, certainly not true with my favorite router the Pepwave Surf SOHO.

New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networksby Lawrence Abrams of Bleeping Computer August 6, 2018
This story is sad. The news is trivial, so much so, as to be almost irrelevant. Yet, every outfit did a story that the sky is falling. Not even Steve Gibson was able to put this in perspective and point out how un-important it was. The tech press is truly disgraceful. Consider this statement from the normally reliable Bleeping Computer site "While previous WPA/WPA2 cracking methods required an attacker to wait for a user to login to a wireless network and capture a full authentication handshake, this new method only requires a single frame which the attacker can request from the AP...". The fact is that Wi-Fi attackers never had to wait, they could force any and all currently connected devices off the network. Pretty much any Wi-Fi device would then try to log back in automatically. In fairness, this was a rare article to mention that this newly discovered technique "does not make it easier to crack the password for a wireless network." Many articles outright lied about this. And, some articles mentioned that the new technique only works on routers that have a certain feature enabled. No one bothered to research which routers have that feature enabled. That's not sexy. Have any router companies commented on which, if any of their routers are vulnerable to this new attack? One article had a quote from Eero saying that none of their devices are vulnerable. No one bothered asking any other router vendors. Eero did not publish anything on their website. And, finally, to put this in perspective, let us not forget that Google knows nearly every Wi-Fi password in the world as I blogged back in 2013. And, if Google knows it, the US Government can compel them to turn it over. No hacking needed.

New Wi-Fi attack cracks WPA2 passwords with ease by Charlie Osborne of ZDNet Aug. 8, 2018. Typically miserable article. Quoting: "Currently, the most popular method is to wait until a user connects to Wi-Fi, wait for the four-way authentication handshake to take place, and capture this information in order to brute-force the password...."

Scary Wi-Fi attack can hack weak passwords with ease by Chris Smith of BGR Aug. 8, 2018 Scary? I think not. Clickbait for sure. This article was initially brutally wrong saying that strong passwords could be easily hacked using this attack. I tweeted about it. The article and the headline was later updated. The original headline was "Scary Wi-Fi attack can hack your password no matter how strong it is"

Cracking the passwords of some WPA2 Wi-Fi networks just got easier by Shaun Nichols of The Register Aug. 6, 2018. It too says: "Previously, an attacker would need to wait for someone to log into a network, capture the four-way handshake process used to authenticate users with a wireless access point, and use that to brute-force search for the password." No matter how many people write this, it remains false. The article also said "...the attacker would be able to break into a vulnerable wireless network in far less time..." This is false too. If a Wi-Fi password is sufficiently long, it will take decades to brute force it.

New attack on WPA/WPA2 using PMKID by Jens Steube Aug. 4, 2018. The original source of the story. Quoting: "At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)".

Back to bad news - MikroTik routers at ISPs hacked

Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?by Simon Kenin of Trustwave August 1, 2018
Quoting: "I noticed a huge surge of CoinHive in Brazil. After a quick look I saw that ... these were all MikroTik network devices ... all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity ... the attacker indeed mainly focused on Brazil ... MikroTik routers are used by Internet providers and big organizations, and in this case it seem that the Reddit post's author's ISP had their router compromised ... the exploit was for a vulnerability patched by MikroTik on April 23rd (2018) .... using this exploit you can get unauthenticated remote admin access to any vulnerable MikroTik router ... the attacker used the device's functionality in order to inject the CoinHive script into every web page that a user visited ... This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible, this attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well ... Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses ..." This is, to me, a new type of bad. Any website sitting behind a hacked MikroTik router may deliver malware.
One thing does not makes sense in this report. Kenin says that all web page passing through an infected router get modified, but, TLS should protect web pages from being modified in-flight.

Routers turned into zombie cryptojackers – is yours one of them? by Paul Ducklin of Sohpos Naked Security August 3,2018. By far, the best article on the topic. Describes an unforgivable design flaw made by MikroTik regarding passwords. And puts the problem in perspective - its trivial. Quoting: "You’ll only get cryptojacked if you are browsing via the Mikrotik proxy; the cryptojacking will only kick off when there’s an error to report; and the cryptomining will only last until you exit from the browser tab with the cryptomining code in it. You’re very likely to notice the cryptojacking, not least because your computer will slow down .... Also, Mikrotik's proxy only supports HTTP, not HTTPS."

OpenWrt 18.06 released (Linux OS for your router, first major update in years)by Brad Linder of Liliputing August 1, 2018
Quoting: "OpenWrt is an open source, Linux-based operating system designed to run on hundreds of routers and other embedded devices. It can add new features to your networking gear and give you more control over the software running on the hardware in your home. This week the developers released OpenWrt 18.06, which is a big step for a couple of reasons." Some changes: Spectre and Meltdown mitigations, improved firmware upgrade procedure, auto rollback functionality, new Linux kernel, an updated toolchain, some type of support for Wireguard VPNs, and, of course, bug fixes.

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4Mby Brian Krebs in Krebs on Security July 24, 2018
Hackers used phishing emails to break into The National Bank of Blacksburg in Virginia bank - twice. In May 2016, "The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system ... that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards. Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections." This first break-in cost the bank $569,000. The second break-in was in January 2017. "This time not only did the intruders regain access to the bank’s STAR Network, they also managed to compromise a workstation that had access to Navigator, which is software used by National Bank to manage credits and debits to customer accounts ... the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts." Most of the article is about a lawsuit between the bank and its insurance company. Boring. Clearly the problem here is network segmentation or VLANs. No employee should be reading email messages on a computer that has network access to the core banking systems.

Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devicesby Hubert Lin, Lorin Wu and Vit Sembera of Trend Micro July 23, 2018
Quoting: "... we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15 ... the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices ... the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea ... we determined that the malware spreads via scanned open ADB ports .... It attacks ADB by uploading the payload via TCP port 5555 ... It is reasonable to believe that the same author was behind this sample and Satori ... According to data from Shodan, over 48,000 IoT systems are vulnerable to ADB exploitations. Not all vulnerable systems are exposed as they are usually hidden behind routers with NAT ... However ... they can be made accessible either manually or via UPnP NAT traversal. All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user's password strength."

eSentire Observes an Increase in Exploitation Attempts Against Routersby eSentire July 20, 2018
eSentire observed exploitation attempts targeting consumer routers made by Dasan and D-Link. The D-Link DSL-2750B with firmware 1.01 to 1.03 is susceptible to this attack. So, too are Dasan GPON routers utilizing ZIND-GPON-25xx firmware and some H650 series. Dasan never issued bug fixes. If these devices get attacked, it can result in remote code execution. An article about the D-Link routers appeared in Ars Technica in June (see below).

Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Dayby Catalin Cimpanu of Bleeping Computer July 19, 2018
A bad guy built a botnet of over 18,000 routers in the span of a single day. The botnet has been spotted by NewSky Security, and their findings have been confirmed by Qihoo 360 Netlab, Rapid7, and Greynoise. It was built by exploiting a vulnerability in Huawei HG532 routers (CVE-2017-17215). The bug can be exploited via port 37215. This was no zero day, the bug is high profile and had been exploited by many previous botnets. Clearly no one patches their routers. Also, ISPs fail to block incoming connections on port 37215.

Hackers Breach Russian Bank and Steal $1 Million Due to Outdated Routerby Catalin Cimpanu of Bleeping Computer July 19, 2018
What was outdated about the router, no one said. The victim of the hack was PIR Bank. Their network was infiltrated in late May 2018 and the money transferred out on July 3, 2018. The hacker group is known as MoneyTaker, according to Group_IB, and the amount stolen this time was at least $920,000 in US dollars. Group-IB said: "The router had tunnels that allowed the attackers to gain direct access to the bank’s local network .. This scheme has already been used by this group at least three times while attacking banks with regional branch networks." Tunnels? As in VPN?

Avira Home Guard: One out of every four routers is vulnerable to hackersby Avira July 19, 2018
This is a press release for a new free product from Avira. It is software that runs on Windows and Android and does a LAN scan to find devices and security issues with them. The text says that many routers have open ports, bit its not clear if the product finds LAN side or WAN side open ports. Avira may be selling FUD. Don't know. Hope to kick the tires on this soon. I later learned that Trend Micro has a similar product that runs on Windows, MacOS, iOS and Android. Trend is upfront of the data that is sent to them, Avira says nothing about this.

Year-old router bug exploited to steal sensitive DOD drone, tank documentsby Sean Gallagher of Ars Technica July 11, 2018
Quoting: "In May, a hacker perusing vulnerable systems with the Shodan search engine found a Netgear router with a known vulnerability - and came away with the contents of a US Air Force captain's computer. The purloined files from the captain - the officer in charge of the 432d Aircraft Maintenance Squadron's MQ-9 Reaper Aircraft Maintenance Unit ... included export-controlled information regarding Reaper drone maintenance. The vulnerability, which makes it possible for an attacker to remotely execute commands and gain access to the root directory of the router via FTP, was disclosed by Netgear over a year ago ... [it] allowed attackers to ... gain access to the local network. They could then either grab files passing over the network or gain access to devices on it." An article in SFGate, from February 2016, Netgear: Add a password or risk losing your data, says the flaw stems from the promise of convenience: "An owner can plug in a flash drive or a hard drive into a home router and access the data remotely. Turning a USB stick into a private cloud is an enticing perk - and one that’s becoming expected as people grow accustomed to accessing their information from anywhere ... When people attempt to remotely access their data, they are prompted to enter a user name and password. If customers have not established their own unique log-ins, Netgear routers grant access without requiring a password at all." Netgear's point of view was that users are responsible for preventing this. They should change the FTP password as the manual says. The article also says that Netgear did not respond to questions about the specific devices affected by the design flaw.

Hacker Selling Pentagon’s Killer Drone Manual on Dark Web for $150, Cheap by Kevin Poulsen for The Daily Beast July 10, 2018. This article says the theft was from a home network not from a military base. It also has more details on the bug itself: "If the user switches the Personal FTP Server option on, and doesn’t explicitly set a password for the server, all their shared files are left wide open to anybody who logs in as 'anonymous' with no password required."

According to the Ars article, this is the bug in question. I doubt it, as it only applies to the DGN2200v4 modem/router.DGN2200v4 Command Execution and FTP Insecure Root Directory Security Vulnerability from NetgearThis bug can allow hackers who have the router's admin password to inject OS commands that can possibly be used to backdoor the router and modify Internet traffic and to access files in the root directory. An updated version of DGN2200v4 firmware to resolve the vulnerability is in test. NETGEAR plans to release the firmware by the end of November 2016. Last Updated: January 6, 2017. So, it seems like updated firmware was never released.

Those Harder to Mitigate UPnP-Powered DDoS Attacks Are Becoming a Realityby Catalin Cimpanu of Bleeping Computer June 28, 2018
Every consumer router that I am aware of ships with UPnP enabled. Less tech support calls that way. But, UPnP can be abused to make Denial of Service attacks harder to defend. Quoting: "Security researchers are continuing to see DDoS attacks that leverage the UPnP features of home routers to alter network packets and make DDoS attacks harder to detect and mitigate ... " UPnP was designed for LAN side use only, but many routers are mis-configured and support it on the WAN side. Then too, routers implement it wrong. Specifically, UPnP supports port forwarding to open up a LAN side device directly to the Internet. But, some routers do not validate that the target IP address is really internal, so UPnP allows port forwarding to a public IP address - to a victim of DDos attack. This has been called UPnProxy. This also allows changing the source port number which makes DDoS attack mitigation much harder.

Widely used D-Link modem/router under mass attack by potent IoT botnetby Dan Goodin of Ars Technica June 20, 2018
Bad guys are exploiting a bug in very old D-Link DSL-2750B DSL gateways in an attempt to make them part of the Satori botnet. The bug has been known for roughly 2 years but the devices have been abandoned by D-Link and the ISPs that gave them out. If you have such a device, it needs to be replaced. This is yet another reason to not use any hardware from your ISP, when possible. The bug allows remote command execution without any authorization needed. The vulnerability can be exploited using the "cli" parameter that directly invokes the "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03. It is also possible to retrieve the admin password, wifi password, etc. Attack code exploiting the bug was published last month. Netlab 360 first reported Satori was exploiting this bug on June 15th. They also found it exploiting a bug in a XiongMai router. D-Link representatives did not respond to Ars Technica seeking comment. No surprise there. There is no mention of the device on the D-Link website for the US. I know someone who had one of these from Verizon. As of August 2016, it was running firmware version 5.4.12.1.44.2.1 (not a joke) which was released Nov. 14, 2013.

Chinese Cyber-Espionage Group Hacked Government Data Centerby Catalin Cimpanu of Bleeping Computer June 15, 2018
In November 2017, according to Kaspersky Lab, bad guys hacked a data center belonging to a Central Asian country and embedded malicious JavaScript code on government websites. The code re-directed victims to malicious websites hosting exploitation tools that attempt to infect victims with a remote access trojan (RAT). The attackers hacked a MikroTik router to host the command and control server of the RAT. The hacked router controlled and retrieved data from infected victims, providing an additional layer of anonymity between the bad guys, victims, and forensic investigators. This is believed to be the first time that bad guys hosted a C&C server on a router. MikroTik is also on the VPNFilter list of vulnerable manufacturers. Why? According to Rapid 7, most MikroTik devices are not maintained.

VPNFilter's Potential Reach - Malware Exposure in SMB/Consumer-grade Devicesby Bob Rudis of Rapid7 June 7, 2018
Rapid7 scanned the Internet looking for devices from the 11 manufacturers whose routers are known to be vulnerable to VPNFilter. Of those, they counted the ones with an open Telnet port and found just over 453,000 devices. Quoting: "... poorly configured and maintained devices remain at-large just waiting for attackers to regain control ... To ... understand the potential scope of the problem (and not with just VPNFilter), Rapid7 Labs researchers used banner scan results from Project Sonar and Censys to try to get a count of the device families targeted by VPNFilter. The initial numbers for the spread of VPNFilter were in the 500,000 device range and ... the potential for exploitation of all types in these device families (VPNFilter and beyond) is much, much larger ... we picked the most egregious port - telnet - to see what is there since - if telnet is exposed, the devices are seriously, egregiously poorly configured and are likely already compromised in other ways, let alone potential victims for VPNFilter (in any form) ... While we cannot determine if these devices are, in fact, compromised by the latest round of VPNFilter exploits, their mere presence on this singular cleartext port is a clear indicator that we have a long way to go reduce the number of candidates for compromise."

MAY 2018

VPNfilter router hack - an inevitable disaster

New VPNFilter malware targets at least 500K networking devices worldwideby Talos division of Cisco May 23, 2018
If you own a crappy router, it is likely to get hacked. That is the lesson to be learned here. And, by crappy, I mean anything from your ISP or a consumer router. You can stop reading now.The story: State sponsored bad guys, probably Russians, have hacked a lot of routers (at least 500,000 in 54 countries is the estimate) with really nasty malware. Talos, working with law enforcement and others, found devices from Linksys, Mikrotik, Netgear, TP-Link and QNAP (a NAS not a router) infected. They listed specific models but clearly said their list was incomplete. Nonetheless many articles left out the incomplete part, leaving the impression these were the only vulnerable models. In reality, every device from these vendors needs to be considered vulnerable. There is no easy way to tell if a device is infected with VPNFilter. The exact method of infection is not known and Talos has not completed its research. As shown on the Bugs page here, there are many router bugs just waiting to be exploited. Heck, being a bad guy targeting routers is like being a kid in a candy store. Talos said "...most devices targeted ... have known public exploits or default credentials that make compromise relatively straightforward." In other words, easy pickings. While the initial router infection may have been easy, the malware is, nonetheless, fairly sophisticated. For one thing, it is installed in sections, a main controller is installed first and it then downloads other components. The initial component learns the IP address of where it should download the rest of itself in a very clever way. It downloads an image, and looks in the image metadata for an IP address. Also, this is only the second router malware that can survive reboots of the router. The malware/botnet has been around for a couple years and grew slowly until May 8, 2018 when it increased 28 fold with almost all new infections in the Ukraine.
So what? The malware can do assorted bad things and Talos is not sure it has detected everything. It can certainly steal website credentials and brick the router it is running on. And, as with other router hacks from the last few months, it can be used to hide the true location of bad guys doing bad things. If the FBI breaks your door down thinking you did a bad thing on the Internet, it might be due to VPNFilter. Speaking of the FBI, they said VPNFilter can do "information collection, device exploitation, and blocking network traffic." Finally, it monitors modbus traffic on TCP port 502. Modbus is an Industrial Control Systems (ICS) protocol. A report from JASK said "Western Europe and North America may be at increased risk for a potential ICS attack against critical infrastructure."Solutions offered: Reboot you router is the big headline everywhere. Good reporters note that all routers should be rebooted, bad reporters point to the few that have been verified as vulnerable. Rebooting is also called power cycling. Simply put, unplug a router from the electricity, wait a short bit and then plug it back in. What is sometimes missing is that this only removes part of the malware, not all of it. Specifically, it removes the add-on components, but not the initially installed component. The malware that is left is harmless in and of itself, but it still leaves the router open to re-infection. Fully removing the malware requires a hard reset to restore the router to a factory fresh state. The downside to this is that any changes made to the default configuration will need to be re-done and hardly anyone knows every change that was made. Some routers can save their current configuration which begs the question if this is restored after a reset, are you still safe? No one has addressed this. Certainly if the malware changed DNS servers, you do not want to restore the bad ones. Finally, a factory refresh may be a waste of time, if the bug that led to the infection in the first place is not fixed. And, again, we do not know how the initial infections are done. Everyone also says to update the firmware. No one points out that this may be useless. Many routers are abandoned and their firmware is not updated and bugs are not fixed. Other solutions are not solutions, just re-cycled words. For example: change default passwords and turn off Remote Management. Well, duh.
Solution not offered: Use a Pepwave Surf SOHO router. Steve Gibson was the only person to question whether a factory reset really removed the malware. He suggested installing new firmware as the best approach for removing existing corrupted firmware. But that begs the questions: if a router already is running the latest firmware, can you re-install it on top of itself? Which leads me to wonder, how long before the malware prevents any firmware updates?
Infected devices did TCP scans on ports 23, 80, 2000 and 8080 which Talos wrote are indicative of Mikrotik and QNAP NAS devices. A secure router has no open ports. The Test Your Router page lists many tests you can run against your router looking for open ports. Rebooting a router every now and then is a good idea in general, nothing to do with VPNFilter specifically. There are many router hacks that are removed by rebooting. I recommend periodic reboots on the home page of this site.
Unknown: What does a factory reset of a router really do? Does it install new firmware from a read-only copy? If so, how old is this firmware? Or, does it simply reset the configuration options but make no changes to the installed firmware? NO ONE addressed this issue. Then too, why is it that 3 of the 4 affected companies say nothing about a factory reset in their instructions to their customers? Strange.
Mystery: Who owned toknowall dot com, the domain seized by the FBI? Did the bad guys register it or was an innocent website hacked?
Detecting an infection:June 30, 2018: Symantec has a VPNFilter checker at www.symantec.com/filtercheck. Interestingly, it is only available via HTTP, not HTTPS. Exactly what it does is not explained, Symantec says only that it tests for the presence of the ssler plugin. How it tests or what exactly it tests is not explained. Also, the plugin is but one component of VPNFilter and Symantec is clear that a router that gets a clean bill of health on their test, "...may still be compromised by other threats or components of VPNFilter." On this page, Symantec says that a list of vulnerable routers is available in their blog. There are multiple mistakes with this. Depending on the release of firmware, a router may or may not be vulnerable. Also, the list of known vulnerable routers is wrong as it omits information from at least two vendors that know exactly the vulnerability that led to infection. They just copied a list from Talos.
June 9, 2018: It seems that you cannot detect the presence of the VPNFilter malware just by looking at your router. The second Talos report mentioned that the router does port forwarding of port 80 to 8888, but did not say if this was visible in the router interface. The report also mentioned that it disables gzip compression, but no one has said how to detect this. Likewise, it tries to downgrade HTTPS to HTTP which is perhaps the easiest means of detection, but many websites force HTTPS all the time. All the detection mentioned anywhere involves monitoring traffic leaving the suspect router, which means connecting the router to something other than a modem. In effect, doing a Man-in-The-Middle attack on the suspect router. The MiTM device could look for the use of http : / / api.ipify.org?format=json which the malware uses to learn its public IP address. It could also look for outgoing requests to the domain seized by the FBI, toknowall dot com. Talos has published many Indicators of Compromise.
Update June 2, 2018: I re-read the Talos blog and it clearly says that rebooted routers can be fully re-infected. Quoting: "If the attempt to the backup domain fails, stage 1 opens a listener that waits for a specific trigger packet to open a connection for the actor to connect interactively to the device ... when any packet arrives on any port, the listener performs a series of checks to identify a trigger packet. If the packet meets a predefined set of criteria, it will extract an IP address from the packet and attempt a stage 2 download." Surely the bad guys know the IP addresses of all infected routers, even those that were re-booted. They may lose track of some because the re-boot may assign a new public IP address, but still, they should be able to fully re-infect many of the rebooted routers. And, the malware listens for a trigger packet on all ports making it impossible to do port scans to find infected devices.

VPNFilter Targets More Devices Than Initially Reported
by Lucian Constantin June 6, 2018. Quoting: The large variety of targeted devices highlights the considerable amount of development work and testing that went into building this malware and botnet. The home router ecosystem is incredibly diverse. Most router firmware is based on Linux, but there are significant differences between firmware packages from different manufacturers and even between devices from the same vendor’s line of products.

VPNFilter Update - VPNFilter exploits endpoints, targets new devices by Talos June 6, 2018. VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities. They are wrong about QNAP. The company has clearly said which versions of their QTS software are vulnerable and which are not. Talos does not include this information making it look as if all QNAP devices are vulnerable.

VPNFilter: a global threat beyond routers by Juniper June 6, 2018. It infects small office/home office routers, not enterprise brands. Juniper Networks routers are not believed to be affected. Even the new list of vulnerable devices is not complete. Still no sign of any zero day vulnerability being exploited, so it is likely that known vulnerabilities and weak passwords are the main vector of infection.

The VPNFilter Botnet Is Attempting a Comeback by Catalin Cimpanu of Bleeping Computer June 2, 2018. A new report from JASK and GreyNoise Intelligence (below) found that the people behind the VPNFilter botnet are attempting to compromise new routers and build a new, second generation VPNFilter botnet. They found scans looking for Mikrotik routers with port 2000 exposed online in the Ukrainian. Since May 8th, the VPNFilter botnet has been looking for Ukrainian routers in particular.

Should you reboot your router like the FBI says? by The Associated Press May 30, 2018. Excellent, short article. The FBI acknowledges that rebooting a router only temporarily disrupts the malware. After rebooting, the core infection persists and there is no simple way to delete it. The persistent malware is in listening mode, awaiting instructions. If you can update the firmware in your router to the latest version you should, but it may not fix the problem. It won’t hurt.

VPNFilter by Steve Gibson and Leo Laporte. Security Now podcast transcript. Episode 665, May 29th, 2018. Raises issues that no one else has. He actually read the Talos report and understood it. On the other hand, he mis-read part of it, believing that only the few cited models are in danger of being hacked. Talos clearly said their list of vulnerable devices was incomplete.

VPNFilter botnet: a SophosLabs analysis, part 2 May 27, 2018. A deep dive into the operation of Stages 2 and 3. Recommendation at end: "Regardless of whether you think your device has been hacked, power cycle the device, flash the latest firmware over the top of whatever is on there, and perform a factory reset on the firmware."

Exclusive: FBI Seizes Control of Russian Botnet by Kevin Poulsen for The Daily Beast May 23, 2018. First reporting of this very big deal. The FBI has blocked the malware's ability to reactivate following a router reboot. And, when an infected
router is re-booted, it will phone home to the FBI which will then know the router is infected. The FBI could now, in theory, hack the routers.

Hackers infect 500,000 consumer routers all over the world with malware by Dan Goodin of Ars Technica May 23, 2018. This is the only article I have seen to add some context pointing out the recent warning from the US and Britain that Russian hackers were/are compromising large numbers of routers, switches, and network devices belonging to governments, businesses, and critical-infrastructure providers.

VPNFilter Malware Security by TP-Link May 23, 2018. They are looking into it and will update this over time, or so they claim. As of June 2nd, no update. This should tell you everything you need to know about TP-Link. Nothing about factory resets.

VPNFilter Malware Update from Linksys May 25, 2018. On the one hand Linksys passes the buck saying "If customers believe they have been infected ... " since there is, realistically, no way to know if a router has been infected. On the other hand, they do have instructions for performing a factory reset. Also, Linksys makes a point that Netgear and TP-Link can not - their newer routers self-update.

VPNfilter official statement by MikroTik May 24, 2018. Quoting: "We are highly certain that this malware was installed ... through a vulnerability in MikroTik RouterOS software, which was ... patched ... in March 2017 ... upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability." They also point out that their flaw could only be exploited if port 80 was open which their firewall protects against by default.

Security Advisory for VPNFilter Malware from QNAP May 24, 2018. The best response of all the cited vendors. They specifically define the vulnerable software and options and note that bug fixes were released in 2017. They offer no details however on the nature of the bug(s). Affected products: any QNAP NAS running QTS 4.2.6 build 20170628 or earlier or QTS 4.3.3 build 20170703 or earlier. Also, any QNAP NAS using the default password for the administrator account. Which leads me to ask, why is there a default password for the Admin account?

The FBI says you should reboot your router. Should you? by Rick Broida May 30, 2018. The worst article I have seen on the topic. Makes the mistake of assuming that only the few router models cited by Talos are vulnerable. Not True! Clearly Broida never read the original reports from techies that actually understand the problem. He also misquotes Linksys, to further the myth that new firmware fixes everything. The article is so bad, I wont link to it.
https://www.cnet.com/au/how-to/the-fbi-says-you-should-reboot-your-router-should-you/

May 21, 2018: A bug in DrayTek routers was reported by the company and is in the process of being fixed by new firmware. Bad guys have been abusing the flaw to modify the DNS servers in the routers. Details are on the Router Bugs page.

WICKED botnet exploits known bugs in Netgear routers

A Wicked Family of Bots
By Rommel Joven and Kenny Yang of FortiGuard Labs May 17, 2018
If the WICKED botnet can connect to port 8080 on a router it will try to exploit a flaw in Netgear DGN1000 and DGN2200 v1 routers from October 2017. If it can connect to port 8443, it will try to exploit a command injection flaw in Netgear R7000 and R6400 routers from March 2017. If you have a Netgear router, you can test TCP port 8443 and test TCP port 8080. The best result is "Stealth." If one of the ports are open, make sure you have the latest firmware installed.

New DDoS Attack Method Demands a Fresh Approach to Amplification Assault Mitigationby Avishay Zawoznik, Johnathan Azaria and Igal Zeifman of Imperva May 14, 2018
It was recently reported that routers with UPnP exposed on their WAN side (the Internet) were being abused by bad guys to make their own customized equivalent of the Tor network to hide their actual location. That was bad enough. Now, Imperva has found that bad guys are also abusing devices that expose UPnP, in DDoS attacks that are harder to detect because the source port is a scam. They searched Shodan and found over 1.3 million devices exposing UPnP on the Internet.

Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attackby Catalin Cimpanu of Bleeping Computer May 4, 2018
The bug being exploited was disclosed in late April 2018. At first, I did not believe it, my reasons are on the Bugs page. Seems I was wrong and these are real router vulnerabilities. Over a million routers are said to be vulnerable. No article has yet addressed whether the bugs can be exploited remotely, locally or both. The bugs are CVE-2018-10561 and CVE-2018-10562. GPON (Gigabit Passive Optical Network) supports internet connections via fiber optics lines. Most of the vulnerable routers are in Mexico, Kazakhstan, and Vietnam.
Update May 21, 2018: These same routers appear to have another zero day flaw that bad guys are exploiting. See GPON Routers Attacked With New Zero-Day by Catalin Cimpanu for Bleeping Computer.

Botnet Party on GPON Routers By Catalin Cimpanu
May 10, 2018. At least five IoT botnets are fighting each other and attempting to infect Dasan GPON routers, according to Chinese cyber-security firm Qihoo 360 Netlab.
The good news is that the exploits of four of them are buggy, preventing them from hacking the routers. THe fifth botnet had its command and control server
go down. Dasan said that only "ZNID-GPON-25xx series and certain H640 series GPON ONTs, when operating on specific software releases, are affected by this vulnerability." They estimate that less than 240,000 routers are vulnerable. The routers are old and will not be patched.

GPON Router Vulnerability Antidote by VPNmentor. Undated. About May 8, 2018 give or take. A patch for the bug. This may be the only hope as Dasan is not going to fix the bugs. "This patch was not created by the official company and is not guaranteed. It was created to help mitigate the vulnerabilities until an official patch is released. Therefore, any issues or problems that might be caused by the use of this tool is not our responsibility, and we advise you to use it at your own risk. This tool disables the web server in a way that is not easy to reverse ... if you are not comfortable with the command line we suggest firewalling your device until an official patch is released."

The Digital Vigilantes Who Hack Backby Nicholas Schmidle for The New Yorker magazine May 7, 2018 issue
The article mentions a security company that got a request from the C.E.O. and general counsel of a multinational corporation. A employee who left the corporation had not returned their company laptop and was suspected of having shared proprietary information with a competitor. They wanted to know if the security company could "hack into the former employee's home network, assess whether the company laptop was connected to it, and, if so, erase any sensitive files." Doing so, would require access to the MAC address of the devices connected to the former employee's home network. That, in turn, requires router access. The security company said, for the article, that from a technical standpoint "such a hack would not be difficult."

Apple FINALLY comes clean, no more AirPort routers

Apple officially discontinues AirPort router line, no plans for future hardwareby Zac Hall of 9to5Mac April 26, 2018
"Apple is officially exiting the wireless router business and selling off its remaining inventory of AirPort products. This includes the AirPort Express, AirPort Extreme, and both models of AirPort Time Capsule." Why would anyone buy the remaining inventory? Especially since the last new model was released five years ago. Apple seems to hate their customers. Back in Nov. 2016, Bloomberg reported that Apple had disbanded the team responsible for developing Apple's routers. Yet, it took till now to make it official. And, even now, they have not lowered the price of remaining inventory. The article says that the router will be supported for years to come, but they are, after all, Apple fanboys. I doubt there will ever be another firmware update to the AirPort routers. As for replacements, needless to say, I recommend the PepWave Surf SOHO router. It is, however, a single device and Peplink does not offer a mesh router system. At the moment, I would recommend Eero, based on my experiences with tech support. However, I have only kicked the tires on Eero, Google Wifi and AmpliFi.

Choosing a Wi-Fi router to use with Apple devices by Apple April 26, 2018. Essential features when shopping for a Wi-Fi router to use with your Mac, iPhone, iPad, Apple TV, HomePod, or other Apple devices. This is brutally trivial and says nothing about security, needless to say.

UPnProxy: Blackhat Proxies via NAT Injectionsby Akamai undated (sometime this month)
UPnP was intended to be used on a LAN and, as such, all devices were considered trusted and the protocol has no security at all. It's an old protocol. Back in January 2013 it was discovered that millions of routers were exposing UPnP on their WAN side (the Internet) by mistake. For more on this see the Bugs page. Here we are, 5 years later and this is still true. It seems nothing was done about the millions of buggy/vulnerable routers from 2013. Last month, Symantec wrote about a cyber espionage group known as the Inception Framework abusing UPnP to forward traffic from one router to another to another to another, etc. This lets bad guys hide the true source of their bad deeds. The link and summary are on this page, under March 2018. Now, Akamai is reporting the same thing and they call it UPnProxy. Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Again, there should be none, UPnP was only intended for LAN side use. Of these exposed routers, Akamai says over 65,000 home routers are currently being abused. No need for a VPN or Tor when you bounce your Internet data through dozens
of other people's routers. This is a gift to spammers, phishers, botnets and the like. It is a bit like having a dedicated bad-guy-only version of Tor. Akamai was kind enough to shame the buggy and vulnerable devices and their manufacturers. Asus is a disgrace, they have a large number of vulnerable devices. Some other manufacturers on the list are D-Link, Ubiquiti, Netgear and ZyXel. Peplink was not on the list. Akamai also blamed ISPs because they are in a position to block UPnP traffic that was never meant to traverse the Internet in the first place. Comcast deserves credit here, they block UDP port 1900. This story did not get nearly enough attention. My guess is that it is beyond the technical comprehension of the many Art History majors that cover technology. Steve Gibson's discussion of UPnProxy (link below) is the only one worth reading/hearing.- - - -
WHAT YOU CAN DO: How can you tell if your router exposes UPnP to the Internet at large? Steve Gibson has the only test that I am aware of. It is part of his Shields Up! service, the link is below. Every consumer router that I have seen ships with UPnP enabled. So, first off, disable UPnP in your router and then test to see if it was disabled on the Internet/WAN side of the house. Akamai noted that UDP port 1900 is what makes a vulnerable router discoverable. Click here to test if UDP port 1900 is open on your router.
Also, check if your router is doing any port forwarding at all. Nothing to do with UPnProxy, all forwarded ports are holes in the router firewall and thus potential security weaknesses. For an Asus router go to System Log, then the Port Forwarding tab. If you see nothing, then you are safe, at the moment. In this screen shot, we see five ports are being forwarded. These are normal forwarding rules in that the destination is a computer on the LAN - they all start with 192.168.1. Victims of UPnProxy would see a public IP address in the "Redirect to" column. I have no idea why UDP port 54051 is being forwarded on this Asus router. For a TP-Link router, go to the Advanced tab, then NAT forwarding, then UPnP. Again, nothing being forwarded is good. In this screen shot, we see two forwarding rules, both to an "Internal IP Address" (starting with 192.168.0). I don't know if any routers let you disable or delete a UPnP created forwarding rule. As we can see in these two screen shots, neither Asus nor TP-Link supports this. But, at least they do report on UPnP created port forwarding. I tried the emulator for a couple Linksys Smart routers and they do not seem to report on this at all. Exposing UPnP also opens up your router to attack which Akamai described in their report. It basically converts Remote Administration to Local Administration. To defend against this, change the port number(s) used for local administration and change the LAN side IP address of the router. And, of course, change the router admin password, and, when possible, the router admin userid too. All that said, the Defensive Computing thing to do is to replace a router exposing UPnP on the Internet. It shows the manufacturer is incompetent.

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devicesby the Department of Homeland Security, the FBI and the National Cyber Security Centre in the UK April 16, 2018
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit devices. Instead, they take advantage of: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches. These factors allow access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population. Network devices are ideal targets. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
The Russians, like many others, are abusing Cisco Smart Install enabled devices. There is more about abusing Smart install below, dated April 6th. Details on the Smart Install flaws are on the Bugs page under March 2018. Also being attacked are Generic Routing Encapsulation (GRE) and Simple Network Management Protocol (SNMP). The National Cyber Security Centre (NCSC) is an arm of British intelligence agency GCHQ.From my Defensive Computing perspective, there is nothing special about Russia, all Internet-facing devices are scanned all the time. I blogged about this last month, Routers are constantly being probed - examining a firewall log

U.S.-U.K. Warning on Cyberattacks Includes Private Homes by David Kirkpatrick and Ron Nixon for the New York Times April 16, 2018. "Although Washington and London have known for decades that the Kremlin was trying to penetrate their computer networks, the joint warning appeared to represent an effort to deter future attacks by calling attention to existing vulnerabilities, prodding individuals to mitigate them and threatening retaliation against Moscow if damage was done."

US and UK blame Russia for 'malicious' cyber-offensive by Ewen MacAskill of The Guardian April 16, 2018. "The US and UK have previously blamed Russia for cyber-attacks ... But they portrayed this as far more serious because of the potential to undermine infrastructure. Millions of machines had been targeted in a 'sustained' campaign ... Previously the two nations have spoken only of attacks 'originating from Russia', with lines between Russian criminals and state activity being blurred, but they pinned blame on the Kremlin on this occasion ... The decision of the US and UK governments to go public reflects a loss of patience with Moscow after a series of cyber-attacks and hacks allegedly originating from within Russia."

Roaming Mantis uses DNS hijacking to infect Android smartphonesBy Suguru Ishimaru of Kaspersky Lab Securelist April 16, 2018
Android malware, dubbed Roaming Mantis, is distributed through router DNS hijacking. When a user attempts to access any website via a compromised router, they are redirected to a malicious website. For example, if a web browser tried to access www.securelist.com, it would be redirected to a rogue server that had nothing to do with the security research blog. The nature of the malicious website is hidden from the victim because the web browser displays the original URL. The malicious web page implores the victim to update to the latest version chrome. Victims that install the banking malware have their login credentials stolen. The malware can read SMS messages so it also steals the secret verification code used for two-factor authorization. The article goes into details on the malware, but says nothing about how the routers may have been hacked. It also offers bad advice: "If you have any concerns about the DNS settings on your router, please check the user manual and verify that your DNS settings haven't been tampered with, or contact your ISP for support." Better advice is to use the DNS server tester pages listed here to learn what your DNS servers are.

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their AttacksBy Catalin Cimpanu of Bleeping Computer April 12, 2018
According to Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, the number of Advanced Persistent Threats leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. Maybe I should put ads on this site. Their research uncovered the LuckyMouse APT which uses routers for hosting their command and control servers, which, Raiu said, is unusual. They believe that the routers were hacked through an SMB vulnerability which allowed the bad guys to upload CGI scripts. He also pointed out that the US government released a document saying that router attacks have been the preferred attack vector for a number of malicious actors for a number of years, yet, the number of reports about router malware and router attacks are few and far between. Thus, Raiu concludes that there's a lot going on that we don't see.

Looks like the Boston Red Sox need better computer nerds

The Red Sox clubhouse's Wi-Fi password does not rank high for creativityby Nik DeCosta-Klipa of Boston.com April 12, 2018
Yankee manager, Aaron Boone, was being interviewed after a game at Fenway Park against the Boston Red Sox when the camera showed a bulletin board on the wall next to Boone. On the bulletin board was the Wi-Fi network name and password. This got some attention because the password was the miserably insecure - "baseball". The Red Sox could hardly have chosen a worse password. They took it well, however, tweeting "Guess we need a new WiFi password". As I explain here on the Wi-Fi encryption page, Wi-Fi passwords need to be at least 14 characters long to resist brute force attacks. However, for a high value target such as the visitors clubhouse at Fenway Park, I would certainly go with a longer password. When you consider all the schools near Fenway Park (Harvard and MIT come to mind), churning out fresh new techies, I would make the password still longer. The password was not their only mistake, an SSID of "clubhouse&quot gives away too much information. Why not call it "VisitorsClubhouse" and take away all mystery. Better network names would have been BlueSky or ColdWeather or JoesNetwork. See more about picking an SSID. Some of the suggestions on Twitter for new passwords, shown below, were not half bad.

Chicken and Beer -- Useful to note that spaces are allowed in Wi-Fi passwords. You have to have been a Red Sox fan a few years ago to appreciate the humor in this suggestion.

Slide.spikes.up -- Two special characters and an upper case letter are good. But, if you are only going to have one capital letter, best that it not be the first character. The password is a reference to the game the Yankee manager was being interviewed about.

BatBoggsLeadoff -- three dictionary words is not strong enough for a Wi-Fi password. Wade Boggs played for both the Yankees and the Red Sox, by the way.

JoeKellysRightHook -- four dictionary words is good enough average folks, but not for the Boston Red Sox

WeLoveTheBullpenCop -- five dictionary words is an OK choice, but it could use a special character. Maybe "WeLove!TheBullpenCop." Its a reference to a 2013 World Series home run by David Ortiz.

YankeesBlewA3-0Lead -- a great password, has both numbers, upper case letters and a special character

19RingsToGo -- a password starting with a number is a good strategy as most people put numbers at the end, but this is just too short

CityOfChampions -- too short

YuckTheFankyees -- too short, though inventive and has only one dictionary word.

JimRiceHasLoudTie$ -- pretty good password with upper case letters and a special character. Jim Rice used to play for the Red Sox. His name is a bit too short though. If Andrew Benintendi wore loud ties, that would make the password longer and thus more secure.

StantonStruckOutFiveTimesInOneGameTwice -- great password and easy to remember. Still I might replace "five" and "one" with the numbers 5 and 1. So, "StantonStruckOut5TimesIn1GameTwice" is long, has upper case letters and numbers and is pretty easy to remember. And, since Giancarlo Stanton has played in both leagues, every visiting team can appreciate the password. All that said, starting each word with a capital letter makes it harder to type. This would be easier to type and probably more secure as "stantonstruckout5timesin1gameTWICE" As passwords go, that, is a work of art.

OneTwoThreeFourFive -- Ugh

Remember2004ALCS -- a great password, but easier to remember and longer as "Rememberthe2004ALCS"

Olde_Towne_Team -- darn good. Including a special character between words is a great way to make a password more secure.

3timeWSChampsThisCentury -- a great password

A suggestion that made me laugh was to use "JarrodSaltalamacchia," noting that potential hackers are bound to get it wrong. Saltalamacchia used to catch for the Red Sox. My guess is that the same person that chose the old password will choose the new one, so it will probably be "baseball123." It won't take the kids from MIT too long to crack that one.

ISPs keep customers ignorant

What most people think it looks like when you change router's admin password, apparentlyby Kat Hall of The Register April 12, 2018
A survey, by the British comparison website Broadband Genie, reported that 82 per cent of responders have never changed their router password. The article is unclear however about whether it is referring to the router password or to a Wi-Fi password. The survey also found that 52 per cent have not changed their Wi-Fi network name (SSID). This advertises to bad guys that the owner of this network is technically clueless, which may invite attack. 48 per cent of responders said they were baffled as to why they would need to make these changes. A pessimist might assume that ignorant customers make fewer tech support calls. This article is just as guilty as the ISPs it is trying to shame. It notes that bad things can happen if the DNS servers in the router are changed, but fails to mention that you can test for this fairly easily. My Test Your Router page lists many websites that report on the currently used DNS servers.

Survey Reveals Users Have No Clue About Router Security by Catalin Cimpanu of Bleeping Computer April 23, 2018. According to Broadband Genie, only 14 percent of the 2,205 respondents have updated their router's firmware and only 18 percent have changed the device's default admin account password ... only 31 percent of users changed the WiFi network password.

Throwing salt on the wound, two days later the magazine came out with their Business Choice Awards for routers, which also recommended Asus. This is crazy, Asus does not make Business class routers. The magazine claimed to have surveyed admins and IT folks, maybe they should use Facebook to find real IT folks. Then again, maybe it tells us more about PC Magazine than it does about Asus.

Cisco devices are being hacked all over the world

What happened to the Internet: attack on Cisco switchesby Kaspersky April 6, 2018
At the end of March 2018 Cisco released 34 bug fixes of which three were deemed critical. Details are on the Router Bugs page. By April 6th, there was a massive attack against Cisco switches. These devices are used in data-centers across the globe. The attacks are exploiting a bug in the Cisco Smart Install Client software. The Smart Install protocol does not require authentication and should not be exposed to the Internet. Yet, there it is. Kaspersky blames the nerds working in datacenters for failing limit access to TCP port 4786. Or, they should have disabled Smart Install altogether. A simple command tests if Smart Install is running and another command can disable it. Hackers have attacked networks in a number of countries including Iran where they left the image of a U.S. flag on screens along with a warning: "Don't mess with our elections." Some hackers claimed to have fixed the bug on vulnerable devices in the U.S. and UK. One report said the flaw apparently affected 200,000 router/switches. Talos found 168,000 devices exposed by the Cisco Smart Install Client. Motherboard reported 166,000. Attackers are able to reset the devices back to their default configuration and display a message to the victims. The attack on some ISPs cut off Internet access for their subscribers. Talos observed hackers exploiting the vulnerability to target critical infrastructure. Joseph Cox of Motherboard said that the attack seems relatively unsophisticated. Taols, which is owned by Cisco, believes that some of the attacks are from nation-state actors. Sounds better than a bunch of 14 year old kids.

Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client by Nick Biasini of Talos. April 5, 2018. Cisco reports on their own screw-up. The company is taking an active stance, whatever that means. The buggy software is legacy, which means phooey on you for using our old stuff. Rather than call it a bug or a flaw or vulnerability, the attacks are due to "protocol misuse". Back in 2016, fellow cyber-security firm Tenable reported observing 251,000 exposed Cisco Smart Install Clients.

Chinese city shops ordered to start using government-approved routersby Shannon Liao of The Verge April 5, 2018
The eastern Chinese city of Qingdao will force shops and restaurants that offer Wi-Fi hotspots to use government-approved routers. The stores have to buy the routers themselves at a cost of either $16 or $63. Failure to use the mandated routers incurs a penalty of up to $18,589. The routers are made by BHU, which boasts on its website about a "long-term close collaboration" with local police in China. Do I need to even mention that in August 2016 an expert found multiple security flaws in a Bhu router (see the Router Bugs page). There were three different ways to gain admin access to the router and it also injected suspicious looking third party JavaScript into HTTP traffic. Qingdao is not the first city to mandate a government-approved router. Free routers were given to shops in Chifeng, a city in Inner Mongolia, in 2016. Multiple cities in China have been told to install a "security management system."

Mirai-Variant IoT Botnet Used to Target Financial Sector in January 2018by Priscilla Moriuchi and Sanil Chohan of the Insikt Group. April 5, 2018
In late January 2018, three European financial institutions were hit by DDoS attacks powered by a new variant of the Mirai botnet. The botnet that hit the first company consisted of at least 13,000 devices. The Insikt Group used IP geolocation, service banners from Shodan, and additional metadata to analyze the composition of the botnet and found that the attack was 80 percent comprised of compromised MikroTik routers, with the remaining 20 percent composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL. All of the compromised MikroTik devices had TCP port 2000 open, which is usually reserved for MikroTik’s bandwidth test server protocol. This port is usually enabled by default in new MikroTik devices. No MikroTik devices with TCP 2000 disabled (a recommended security measure in production environments) were discovered within the botnet.

MARCH 2018

Multiple reports of DNS hijacking on Asus routers

Asus RT-AC66U DNS hackingby Mpuk7 at the SmallNetBuilder forum March 10, 2018
Because I maintain this website, someone emailed me asking about their Asus router that had its DNS hijacked. As we both looked into it, there seems to be a lot of that going around. The person who posted this claimed to have the latest Asus firmware, a long password and they had even changed the default router userid. Of course, the latest firmware, at least with consumer routers, always includes old software with known bugs. I am not qualified to review the Asus router log, but this one made it obvious the router was running some old software with known bugs. The router had remote administration enabled, which is almost always a mistake. Two interesting quotes from these reports: "I tried Asus support but they were immensely useless" and another person said Asus was as helpful as a chocolate teapot :-) Two of the bad DNS servers were 185.183.96.174 and 185.117.75.242. Update March 16, 2018: David Redekop suggested this might be the flaw that was abused here: ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models. Routers enabled for Remote Administration using HTTP rather than HTTPS would be vulnerable to this.

Did I just get DNS Hijacked? by Imran at Security.StackExchange.com. March 12, 2018. At first iTunes on his Macbook complained that it couldn't connect to Apple. Then, at www.apple.com, his browser warned that the site was not secure. Here too, Remote Administration of the router was enabled. Asus model AC87U running firmware 3.0.0.4.380.7743 (1 release behind) with a non-default password.

"My ASUS home router was apparently hacked and a rogue DNS server in Dubai added to the configuration. It redirected sites like hxxp://apple.com to a phishing site that (I think) I caught before my children gave away their credentials. Check your routers kids." Tweet by Harlan Barnes @harlanbarnes March 9, 2018

Kaspersky Lab uncovers Slingshot, the spy that came in from the routerby Kaspersky March 9, 2018
It is not known how the MikroTik routers were hacked. Currently routers are configured using either a web interface or a mobile app. In the previous century they were administered with Windows software. The hacked routers were administered with Windows software known as Winbox. Winbox, for whatever reason, downloads some Windows executable files (DLLs) from the router. The hacked routers had malicious DLLs that infected the Windows computer used to configure the router. This was professional spyware of the highest caliber. The infections seem to be very targeted, with only around 100 PCs known to be infected. The spyware was extremely effective at stealthy information gathering, hiding its traffic in marked data packets that it can intercept without trace from everyday communications. Operation slingshot seems to have started in 2012 and was still active in February 2018. The MikroTik router firmware no longer installs software on Windows computers. Winbox is still a thing, but they also have a web interface. Kaspersky software can defend against this. So too, can a Chromebook.

Router-Hacking 'Slingshot' Spy Operation Compromised More Than 100 Targets by Andy Greenberg of Wired March 9, 2018. Routers have long made an attractive target for hackers. They're always on and connected, often full of unpatched security vulnerabilities, and offer a convenient chokepoint for eavesdropping on all the data you pipe out to the internet. Infecting a router at a business or coffee shop, potentially gives access to a broad range of users.

Ellen Nakashima, of the Washington Post, wrote Russian spies hacked the Olympics and tried to make it look like North Korea did it. Quoting: "Apart from accessing the computers, GRU cyber-operators also hacked routers in South Korea last month ... according to Western intelligence agencies. Such access could enable intelligence collection or network attacks..." The article also has a quote from security expert Jake Williams of Rendition Infosec: "Anyone who controls a router would be able to redirect traffic for one or more selected targets or cause total disruption in the network by stopping the routing entirely."

JANUARY 2018

An old D-Link HNAP flaw exploited by a new botnet

Masuta : Satori Creators' Second Botnet Weaponizes A New Router Exploit.by Ankit Anubhav, Principal Researcher, NewSky Security January 23, 2018 Quoting: "We analyzed two variants of an IoT botnet named 'Masuta' where we ... discovered a router exploit being weaponized for the first time in a botnet campaign ... The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol. It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/ HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution."

Tens of Thousands of Defaced MikroTik and Ubiquiti Routers Available Onlineby Catalin Cimpanu of Bleeping Computer January 10, 2018
If you don't change the default password, you get what you deserve. It seems that, as a prank, someone has been changing the names of routers. Ankit Anubhav of cyber-security company NewSky Security, first ran across this back in July. He estimates that over 40,000 Ubiquiti routers have been defaced along with 7,300 MikroTik routers. The names given to the routers are "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," and "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."

2017

DECEMBER 2017

Satori botnet abusing routers

Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869by Li Fengpei of Qihoo 360 Netlab December 5, 2017
Quoting: "About 12 hours ago ... we noticed a new version of Satori (a mirai variant which we named Satori), starting to propagate very quickly on port 37215 and 52869. Two new exploits ... have been added ... during last recent 12 hours we have seen 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 52869." They have not yet disclosed information on the flaw involving port 37215. The bug being exploited on port 52869 is derived from CVE-2014-8361. It is not clear, to me at least, if this is the same botnet that Dan Goodin wrote about below.UPDATE:Script Kiddie Responsible for Large Satori Botnet by Lucian Constantin in Security Boulevard December 22, 2017. Security researchers at Check Point Software believe that the Satori botnet of more than 250,000 routers was created by an amateur hacker with limited skills. The botnet abuses a known bug in the Miniigd UPnP SOAP service on port 52869 and a new bug in Huawei HG532 home gateways on port 37215. Huawei exposed a configuration service intended to only be used on the LAN side to the Internet. It is scary that a relatively unskilled attacker can build a large botnet capable of devastating attacks. It highlights the poor state of router and IoT security across the internet.

IoT Botnet Satori Grows Rapidly Thanks to Zero-Day Flaw
by Lucian Constantin in Security Boulevard December 7, 2017. The port 52869 attacks abuse a bug in the Miniigd UPnP SOAP service from a Realtek SDK. The bug was disclosed in 2014 and affects networking devices from multiple vendors that use Realtek RTL81xx chipsets.

Starbucks Wi-Fi hijacked customers' laptops to mine cryptocoinsby Lisa Vaas of Sophos December 14, 2017
A Starbucks in Buenos Aires was secretly infecting customer computers to mine cryptocoins. The mining was noticed by Noah Dinkin. It was a JavaScript miner from CoinHive for generating Monero. Starbucks responded that they don't run the Wi-Fi, that it was out of their control but they would contact their ISP.

100,000-strong botnet built on router 0-day could strike at any timeby Dan Goodin of Ars Technica December 5, 2017
First off, clickbait. There are many botnets that could strike at any time. It is, sadly, the new normal.
The buggy devices are the Huawei EchoLife Home Gateway and the Huawei Home Gateway. The bug was first disclosed by Check Point Software on Nov. 27, 2017.
The botnet spreads both by abusing a bug and also by guessing 65,000 different userid/password combinations. It does not abuse Remote Administration. This is the second botnet, after Reaper, to spread by abusing flaws in routers. There is much we do not know:
--There are multiple Huawei Home Gateway models and it is not clear if some or all are buggy
--What firmware versions have the bug?
--What userid/passwords is the botnet guessing
--Defense. The article says nothing at all about defending against the flaw. Typical of clickbait.
--Does Huawei know about the bug? Acknowledge it? Have they issued a fix?

In June 2017, it came to light that the CIA has been hacking routers for many years. In covering the story

ZDNet said: "Routers remain a prime target for intelligence agencies and hackers alike because of they act as a central port of call for an entire network. What makes routers such an attractive target is that they are more often than not riddled with security flaws that make exploitation easy."

Wired said:
"a CIA hacker can then install their own custom firmware, which it calls Flytrap, on a victim's router. That malicious firmware can monitor the target's browsing, strip the SSL encryption from web links they click, and even inject other exploits into their traffic, designed to offer access directly to the target's PC or phone."

Ars Technica said: "Missions can target connected users based on IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers. Mission tasks can include copying all or only some of the traffic; copying e-mail addresses, chat user names, and VoIP numbers; invoking a feature known as 'Windex,' which redirects a user's browser that attempts to perform a drive-by malware attack; establishing a virtual private network connection that gives access to the local area network; and the proxying of all network connections."

2016

OCTOBER 2016

In October 2016, Brian Krebs wrote about malware that targeted Asus and Linksys routers. The software turned the routers into SOCKS proxies, which help bad guys hide their location, much like Tor. Bad guys were using these hacked routers for "or a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites." Plus, access to these hacked routers was being sold in exchange for Bitcoin.

This is why Router Security matters

IoT Home Router Botnet Leveraged in Large DDoS Attackby Daniel Cid of Sucuri September 1, 2016
This is a blog post about a DDoS attack that Sucuri fought off for a client. The attack used three different botnets, one of them composed of routers.
Sucuri detected over 11,000 compromised routers from eight different vendors. Quoting: "The largest number of routers being exploited came from Huawei-based routers. They varied between versions: HG8245H, HG658d, HG531, etc." Other routers were from MikroTik, Ubiquiti, NuCom,
Dell SonicWall, VodaFone, Netgear, and Cisco-IOS.

FEBRUARY 2016

Building router hacked

Building automation systems
are so bad IBM hacked one for freeby Darren Pauli of The Register Feb 11, 2016
Quoting: "An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicize the
horrid state of embedded device security ... they found exposed administration ports ... gaining access to a D-Link panel enabled
to allow remote monitoring ... by adding an extra carriage return after the page request it was possible to bypass the router's authentication. They found command injection
vulnerabilities in the router and found a list of commands in the firmware source code. They found a cleartext password in the router's var directory that not only granted
more router pwnage but, thanks to password-reuse, allowed them to compromise the building management system."
No mention of who made the router, let alone a model number.

2015

In August 2015, Jeff Atwood blogged about how two people he knew fell victim to compromised routers (see Welcome to The Internet of Compromised Things). In one case, the infected router inserted ads onto all HTTP web pages. Quoting:

It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level ... I write about this because it recently happened to two people I know ... This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them. Router malware is the ultimate man-in-the-middle attack ... [bad guys] can direct you to phishing websites at will - if you think you're on the "real" login page for the banking site you use, think again.

In May 2015, Scott Hanselman wrote about an infected router at his local sandwich shop that "... started to redirect me to a fake 'update your flash' and download a 'Install flashplayer_10924_i13445851_il345.exe' malware file..... This affects their PoS (Point of Sale) system, tablets, iPhones ... It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML."

Victims don't have do anything to have their computing devices infected with malware. A hacked router can corrupt the self-update mechanism of either the operating system or a specific application. In June 2015 a case like this got a lot of publicity; the pre-installed Swift keyboard on Samsung smartphones self-updated in an insecure way that could be corrupted by anyone able to modify network traffic. A hacked router is one source, so too is a malicious ISP, a bad guy on the LAN or malware running on another LAN-resident device. Because the keyboard software ran with very high system privileges there was almost no end to what malware it was tricked into installing could do.